Hello folks, in this post we are going to discuss some of the automated tools to find SQL Injection in applications during the process of application security assessment. SQL injection is one of the most dangerous vulnerabilities in web applications. A SQL injection. A well exploited SQL injection can lead to leakage of information from the data set, change data set information (Insert/Update/Delete), and execute organization procedures on the data set (like the closure of the DBMS). In the worst-case scenario, it is also possible to escalate our privilege from DBA to System admin using SQL injection. We already discussed SQL Injection in a layman’s way in the previous post which is here. SQL Injection From Scratch.
Here, we have collected some of the tools which can be used to automate the process of finding and exploiting SQL Injection Vulnerability.
SQLMap
SQLMap is one of the most popular SQL Injection detection and exploitation open-source tools. It supports the exploitation of different types of databases by bypassing the used firewalls. It exploits multiple types of Injection methods such as blind, union, and error. SQLmap also has the feature of gaining an OS shell in it. A set of firewall evading scripts is available for SQL Injection.
SQLMap supports exploitation for these database systems, MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, MariaDB, MemSQL, TiDB, CockroachDB, HSQLDB, H2, MonetDB, Apache Derby, Amazon Redshift, Vertica, Mckoi, Presto, Altibase, MimerSQL, CrateDB, Greenplum, Drizzle, Apache Ignite, Cubrid, InterSystems Cache, IRIS, eXtremeDB, FrontBase, Raima Database Manager, YugabyteDB and Virtuoso database management system.
How to update SQLMap only in Linux?
To update only SQLMap in Linux use the command as sudo apt-get install –only-upgrade sqlmap
JSQL Injection
JSQL Injection is also free open source tools to automate the SQL Injection finding process. It is a cross-platform application that is available in Linux, Windows, and Mac. It supports injection for these databases: Access, Altibase, C-treeACE, CockroachDB, CUBRID, DB2, Derby, Exasol, Firebird, FrontBase, H2, Hana, HSQLDB, Informix, Ingres, InterSystems-IRIS, MaxDB, Mckoi, MemSQL, MimerSQL, MonetDB, MySQL, Neo4j, Netezza, NuoDB, Oracle, PostgreSQL, Presto, SQLite, SQL Server, Sybase, Teradata, and Vertica. Different Injection techniques such as error injection, blind injection, and time-based injection are supported.
Havij
Havij was a very popular SQL exploitation tool at the time. Most of the newbie hackers used this tool in their early days for defacing websites. Requests from have can be identified with a unique user agent as Mozilla/4.0. Once Havij is served with a vulnerable website, it enables the attacker to analyze the site and bring back the DB name, tables’ names, and the actual data.
Havij can be Downloaded from here.
BBQSQL
BBQSQL is a visually impaired SQL infusion system written in Python. It is incredibly helpful while going after interesting SQL infusion weaknesses. BBQSQL is likewise a self-loader device, permitting a lot of customization for those hard-to-set-off SQL infusion discoveries. The apparatus is worked to be information base freethinker and is incredibly flexible.
BLISQY – Time-Based SQL Injection in HTTP Header
Blisqy will assist you to identify a MySQL/Maria DB injection on a web server. This tools have the feature of exploiting SQL Injection on HTTP Headers. You should first have to determine the potential injection scenario to exploit Blind SQL injection on a Web server. After identifying a Time-Based BlindSQL injection on a web-server, the following snippet of command is used for exploitation :--inject "' or if((*sql*),sleep(*time*),0) and '1'='1"
Damn Small SQLi Scanner
Damn Small SQLi Scanner (DSSS) is a complete SQL injection scanner (supporting GET and POST methods) It is very small in the sense that it is written in less than 100 lines of code. It also supports other parameters such as cookies, referer header, and user agent too. Following command can be used to run a Damn small SQLi scanner. The link to use DSS is here.
python dsss.py -u "http://testphp.vulnweb.com/artists.php?artist=1"NOSQL Injection Exploitation Tool – NoSQLMap
NoSQLMap is an open-source Python tool intended to perform SQL Injection vulnerability exploitation to extract data from the database. The tool supports the extraction of data from MongoDB, however planning for NoSQL-based other databases like CouchDB, Redis, and Cassandra is in process.
Requirements:
On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap’s dependencies and the following requirements needs to meet.
- Metasploit Framework,
- Python with PyMongo,
- httplib2,
- and urllib available.
- A local, default MongoDB instance for cloning databases to
Features:
It is possible to automate the MongoDB and CouchDB database enumeration and cloning attacks. Also possible to extract database names, users, and password hashes of MongoDB using applications. Scanning subsets or IP lists for MongoDB and CouchDB databases with default access and enumerating versions. Finally, we can also run a brute force password cracking attack on extracted hashes to get plain text passwords.
[…] Automated tools to find SQL Injection Vulnerability […]